[WIP] QR codes and symmetric encryption for broadcast channels #7042
+2,097
−351
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hocuri
changed the title
This was referenced Jul 28, 2025
Hocuri
force-pushed
the
hoc/channels-encryption-only-qrcodes
branch
from
322bf0c to
abc4e12
Compare
Hocuri
changed the title
Hocuri
force-pushed
the
hoc/channels-encryption-only-qrcodes
branch
2 times, most recently
from
983d050 to
e4e7a36
Compare
…in a 'member added' message.
…ually add a contact to a broadcast list, don't have unpromoted broadcast lists, make basic multi-device, inviter side, work
…another one where I couldn't find the problem
…oadcast_multidevice
…W - fix test_broadcasts_name_and_avatar().
…hown on Bob's device
…'s 1:1 chat a recipient
Turns out that Alice reacts to a request-v2 message in exactly the same way as to a request-with-auth message. So, no need to distinguish here.
… (contact/group/broadcast)
Hocuri
changed the title
Hocuri
changed the title
Hocuri
force-pushed
the
hoc/channels-encryption-only-qrcodes
branch
from
e4e7a36 to
0b365d3
Compare
…xpensive-to-compute s2k algos
Before this, Bob's second device showed a system message "⚠️ It seems you are using Delta Chat on multiple devices that cannot decrypt each other's outgoing messages..."
This makes the automatically generated "alice, alice2" context names correct
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part of #6884.
This will make it possible to create invite-QR codes for broadcast channels, and make them symmetrically end-to-end encrypted.
I posted the benchmark results at #6884 (comment)
Overview of the protocol when both sides have multi-device
The technical design
The QR codes / invite links and the network protocol build on the securejoin protocol in order to secure broadcast channels against MitM attacks, to securely exchange key material, and to add a member to the broadcast channel.
The mentioned securejoin protocol has 4 steps of exchanging messages. Rather than using the same protocol for broadcast channels, I will implement an improved protocol consisting of only 2 steps, described below. I will call it Securejoin v2.
The securejoin v2 protocol has these advantages over the old protocol:
If Securejoin v2 turns out to work nicely for broadcast channels, we can also use them for group and 1:1 invites, and remove the code for securejoin v1.
The QR code / invite link scheme
I will call the channel owner's device "Alice" and the device of the user who scans / clicks on the invite link "Bob".
Alice creates an invite link like this; QR codes contain the same text.
where:
The network protocol for joining a channel - Securejoin v2
In summary, Bob sends a message that is encrypted symmetrically with the AUTH token. Alice answers by adding Bob to the broadcast channel, and sending the broadcast channel's shared secret to Bob.
This is adapted from https://securejoin.readthedocs.io/en/latest/new.html:
a) Alice generates an invite code for this broadcast channel.
b) The AUTH token is generated specifically for this broadcast channel; Alice remembers in the
tokensSQL table that this AUTH token belongs to this broadcast channel.a) Bob (the user) scans the QR code or clicks on the link. Bob saves Alice's fingerprint into the database and creates the broadcast channel chat; only messages signed with this fingerprint will be allowed in the broadcast channel.
b) Bob sends a message with the header
Secure-Join: vb-request-with-authto Alice. (vb-request-with-authfollows the scheme of the securejoin v1 messages).In the encrypted part, this message contains Bob's own fingerprint
Bob_FPin the headerSecure-Join-Fingerprint.This message additionally contains all the information Delta Chat adds in every message: Bob's public key (so that Alice can send private messages to Bob), as well as Bob's display name and avatar (so that Alice can see who joined her channel; note that Delta Chat makes it easy to create an anonymous profile where the name and avatar are not identifying).
Alice decrypts Bob's
vb-request-with-authmessage using the AUTH token from step 1a) and verifies that Bob’s Autocrypt key matches Bob_FP and that the transferred AUTH matches the one from step 1.
b) If any verification fails, the protocol terminates.
a) Alice adds Bob to the broadcast channel in her database,
b) and sends a message with the header
Secure-Join: vb-member-addedto Bob.This message contains the broadcast channel's shared secret in the header
Chat-Broadcast-Secret.This message is asymmetrically encrypted with Bob's public key; alternatively, it could be encrypted with the AUTH token, or with both the public key and the AUTH token.
Bob saves the shared secret into his database and is now able to decrypt messages that are sent into the channel.
If this network protocol works nicely in practice, we can start using it also for normal contact/group invites.
The symmetric encryption
Symmetric encryption uses a shared secret. Currently, we use AES128 for encryption everywhere in Delta Chat, so, this is what I'm using for broadcast channels (though it wouldn't be hard to switch to AES256).
vb-request-with-authhas 144 bits of entropy (seefn create_idin the code). If and when we switch to AES256, we can just generate larger AUTH tokens.fn create_broadcast_shared_secretin the code).Since the shared secrets have more entropy than the AES session keys, it's not necessary to have a hard-to-compute string2key algorithm, so, I'm using the string2key algorithm
salted. This is fast enough that Delta Chat can just try out all known shared secrets. 1 In order to prevent DOS attacks, Delta Chat will not attempt to decrypt with a string2key algorithm other thansalted2.Footnotes
In a symmetrically encrypted message, it's not visible which secret was used to encrypt without trying out all secrets. If this does turn out to be too slow in the future, then we can assign a short, non-unique (~2 characters) id to every shared secret, and send it in cleartext. The receiving Delta Chat will then only try out shared secrets with this id. Of course, this would leak a little bit of metadata in cleartext, so, I would like to avoid it. ↩
A DOS attacker could send a message with a lot of encrypted session keys, all of which use a very hard-to-compute string2key algorithm. Delta Chat would then try to decrypt all of the encrypted session keys with all of the known shared secrets. In order to prevent this, as I said, Delta Chat will not attempt to decrypt with a string2key algorithm other than
salted↩